Procedures for Enabling Active Directory Authentication on UNIX

Enabling Active Directory Authentication on a Samba Server

Enable AD-based authentication to your Samba shares.

The following procedure has been tested with Solaris 8 and 9, Samba 3.0.12pre1 and 3.0.13, MIT Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure assumes installations based in /opt/local.

Download and install the required software.

Before installing, make sure that /usr/ucb is not in your PATH environment variable, or at least that it's toward the end.

Have someone create a machine account for the Samba server in the AD domain.

If the server's hostname doesn't meet AD naming requirements, you'll need to construct a hostname that does. Use this hostname as the netbios name in smb.conf. Also, you should probably add this hostname as an alias for the server's real hostname in DNS.

sudo /opt/local/bin/kinit DomainAdmin@AD.EXAMPLE.COM

Make sure the realm name is entered in all caps.

You'll be prompted for a domain admin password.

sudo /opt/local/samba/bin/net ads join -U DomainAdmin

The -U option isn't required if this command is run shortly after the kinit.

Start the daemons: sudo /etc/init.d/smb.server start.

Test SMB access.

Enabling Active Directory Authentication on UNIX

Enable AD-based authentication to your UNIX system.

The following procedure has been tested with Solaris 8 and 9, MIT Kerberos V5 1.4, and OpenLDAP 2.2.24. Software was compiled with GCC 3.3.2. The procedure assumes installations based in /opt/local.

Download and install MIT Kerberos V5, OpenLDAP, and Samba as described in the procedure to enable AD authentication on a Samba server. In addition:

If /usr is mounted read-only, sudo mount -o remount /usr.

From the source/nsswitch/ directory of the Samba source distribution, copy libnss_winbind.so to /usr/lib/nss_winbind.so.1, with 0555 permissions.

From the source/nsswitch/ directory of the Samba source distribution, copy pam_winbind.so to /usr/lib/security/ with 0555 permissions, and create a symlink to it from /usr/lib/security/pam_winbind.so.1.

Configure the host.

Configure resolv.conf, krb5.conf, and smb.conf as described in the procedure to enable AD authentication on a Samba server.

Add the following lines to smb.conf, substituting appropriate values for template home directories, login shells, and UID/GID ranges:

In /opt/local/etc/sshd_config, the UsePAM parameter should be set to yes.

Create an init script and symlinks as described in the procedure to enable AD authentication on a Samba server. However, you only need to run winbindd, not nmbd or smbd.

Enable Active Directory lookups and authentication.

Join the host to the Active Directory domain as described in the procedure to enable AD authentication on a Samba server.

Kill the nscd process, and disable it from starting again.

If you have rcstart installed, you can run: sudo /etc/init.d/nscd stop; sudo rcstart -n nscd.

Start winbindd with the init script.

Test AD lookups and authentication.

Test Active Directory connectivity via Kerberos and LDAP.

Use /opt/local/samba/bin/wbinfo -n username to get the SID for an AD username.

Use /opt/local/samba/bin/wbinfo -s SID to get the username or group name for an AD SID.

Use /opt/local/samba/bin/wbinfo -g to get the list of AD groups. (This can take a while if there are a lot of groups, and may take several tries until winbindd can receive and cache the results.)

Test lookups via the name service switch.

id username should provide the UNIX UID and primary group for the specified AD user.

getent group groupname should provide the UNIX GID and members of the specified AD group.

Use chown and chgrp to change file and directory ownerships to AD users and groups, and verify that ls -l displays the AD usernames and group names.

Test authentication via PAM.

Login with an AD username and password, via SSH for instance.

Once logged in as an AD user, you should be able to use id or groups to get the full list of AD groups to which the user belongs.

Test read/write access to files and directories owned by AD users and groups.

Mapping Active Directory Users to Existing UNIX UIDs

Use this procedure on systems where AD user accounts should correspond to UNIX user accounts on other systems. Among other things, this allows NFS shares from a UNIX server to work on an Active Directory UNIX client. The normal behavior of winbind is to arbitrarily assign UIDs to users from the range specified in smb.conf. GIDs will continue to be assigned to groups automatically by winbind after following this procedure.

Open issue: Is there any way to restrict login access to an AD client?

Enable AD authentication as described above.

Ensure that the range specified by idmap uid in smb.conf covers the range of UNIX UIDs to which accounts will be assigned.

winbind lookups for UIDs outside that range will fail.

NB: It's best not to use this procedure on systems that have a mix of AD accounts and UNIX accounts. If both types of accounts have UIDs within the same range, then winbind could automatically assign a UID for an existing UNIX account to an inappropriate AD account.

Install wbuser, a custom script used to list, add, and remove the UID/SID mappings stored in /opt/local/samba/var/locks/winbindd_idmap.tdb.

If desired, print a list of the current mappings with wbuser -l.

For each user, execute sudo wbuser -a username UID, where username is the AD username, and UID is the UNIX UID assigned to it.